IETF Logo Mail Archive

Re: [TLS] ESNI robustness and GREASE PRs

David Benjamin <davidben@chromium.org> Tue, 18 December 2018 20:27 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1219112D84D for <tls@ietfa.amsl.com>; Tue, 18 Dec 2018 12:27:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.563
X-Spam-Level:
X-Spam-Status: No, score=-9.563 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.065, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LUVsxgnR5AnV for <tls@ietfa.amsl.com>; Tue, 18 Dec 2018 12:27:23 -0800 (PST)
Received: from mail-qk1-x72f.google.com (mail-qk1-x72f.google.com [IPv6:2607:f8b0:4864:20::72f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE66F128D0C for <tls@ietf.org>; Tue, 18 Dec 2018 12:27:22 -0800 (PST)
Received: by mail-qk1-x72f.google.com with SMTP id q1so10285429qkf.13 for <tls@ietf.org>; Tue, 18 Dec 2018 12:27:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=oEK2jmTGS5zw7yQXiG1N5SUEbm7vWKC3yKEDsP1gLLI=; b=LuTDbYTPgyZ1hCp7xoYIixBwMXLcq+mErj+M1H8mF6O8xT7hVeO1E4IvKq9WTMV1yU jeT9wTCleYXtFSSmjt5kSJPo7I0VqdtmrClm7X7GhjHsV4YnJ4gULUx28rKzz8fOeQR9 Bbqw0YKxbT9jkWH+g0BMdPLoW2D0Sf0Qk8A0Y=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=oEK2jmTGS5zw7yQXiG1N5SUEbm7vWKC3yKEDsP1gLLI=; b=PsvVMc0hLjFw1AUEQZFb8RWFxQ9dRgVFM+Jrol2J+dsCC4jAXDyGUlMkKlqA0WqsvF GncQlk78N5vD74l6R5ZuFJG1WZkh23b4iU72RNcGtfUkNjzFkKE6xF46tPAJDng2wqFS Hqaomf8fA+izS0cFlIi18nso1MGEsxqjqCWmcjJ8gwbTYeZVCv18DMJNlJfb76cPXtDp LnNVUXAaJYjsZTnaiLH7JbBlOhlsp7xSF0RoQI0NR2B+g3eEhA8kiCgxCAApuXMLiwzc GI4kjy1YmH9k0MECRrdTv5DfE7WLQSvrs3ykP7d7zKpnisscc+/aosfYMXe3SCMLZdUo jP+w==
X-Gm-Message-State: AA+aEWY6ksGo9HoMFBd2tz/Nj3R+EkXq2oSvXZ/bLtQg7/yyyDNGXTdu LcwMpugRk6pk/a2dGTKP48+kznSv1fVpq7aKnjSh
X-Google-Smtp-Source: AFSGD/X1MBudTehK1hsfuYsmakto+WgXARq9TayaGu15xQEdiOyBTfDoSE3qJk3ZCpZ0ZUBSqo6S2rRhmsgHj4BTYvQ=
X-Received: by 2002:a37:c891:: with SMTP id t17mr17052735qkl.31.1545164841581; Tue, 18 Dec 2018 12:27:21 -0800 (PST)
MIME-Version: 1.0
References: <CAF8qwaAh-eCLOR3YX3KoVWPe8=uquO+9wwbiSYpOyxvizBSeEg@mail.gmail.com> <20181218090031.GA28550@LK-Perkele-VII>
In-Reply-To: <20181218090031.GA28550@LK-Perkele-VII>
From: David Benjamin <davidben@chromium.org>
Date: Tue, 18 Dec 2018 14:27:10 -0600
Message-ID: <CAF8qwaDyVswWZ67bwW16KaKLkWvVx57nShNQ40zW-r+o1_iL6w@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000080ec0d057d51b930"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/QvCFA3sRmHxb8WGnV734tot4yNs>
Subject: Re: [TLS] ESNI robustness and GREASE PRs
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Dec 2018 20:27:25 -0000

On Tue, Dec 18, 2018 at 3:00 AM Ilari Liusvaara <ilariliusvaara@welho.com>
wrote:

> On Mon, Dec 17, 2018 at 05:17:37PM -0600, David Benjamin wrote:
> > Hi folks,
> >
> > We[*] wrote up some proposed changes for draft-ietf-tls-esni that we'd
> like
> > the group's thoughts on. The goal is to make ESNI more robust and
> eliminate
> > a bunch of deployment risks. The PRs are linked below:
> >
> > https://github.com/tlswg/draft-ietf-tls-esni/pull/124
> > https://github.com/tlswg/draft-ietf-tls-esni/pull/125
> >
> > The second recommends clients to send GREASE ESNI extensions when they do
> > not have cached ESNIKeys available. This better meets the "Do not stick
> > out" goal. The server behavior in the first PR gives us this for free.
>
> It seems to me that if server thinks it has ESNI enabled, but
> the client does not get ESNI keys for it, then all handshakes fall
> back to full handshake and session resumption will not work (as
> the server is required to reject the resumption)?
>

It's possible I didn't word this correctly. If the client did not get ESNI
keys for the server, the client is presumably offering a non-ESNI session,
which has no resumption restrictions. The case we want to avoid is an ESNI
session being resumed at anything other than esni_accept. That's to cut out
the resumption case in {{verify-public-name}}. In particular, if we want to
tolerate partial rollouts where some servers don't support ESNI at all
while others don't at all, this scenario is a concern:

1. Server A does ESNI. Server B does not.
2. Client gets ESNIKeys from DNS and talks to server A. ESNI works out and
all. It gets a session for origin-name.
3. Client connects again and this time load balances to server B. Or maybe
server B is server A at a later time. Perhaps the ESNI implementation had a
show-stopping bug and folks had to revert for now. It will send
SNI=public-name, ESNI=origin-name, PSKs=ticket-for-origin-name.

Since server B has no clue what's going on, it'll ignore the ESNI
extension, and then process SNI + PSKs. This runs into the mess of
cross-name resumption stuff. In particular, RFC 8446 says:

   Clients MUST only resume if the new SNI value is valid for the server
   certificate presented in the original session and SHOULD only resume
   if the SNI value matches the one used in the original session.  The
   latter is a performance optimization: normally, there is no reason to
   expect that different servers covered by a single certificate would
   be able to accept each other's tickets; hence, attempting resumption
   in that case would waste a single-use ticket.  If such an indication
   is provided (externally or by any other means), clients MAY resume
   with a different SNI value.

It is not possible for the client to honor that first sentence because it
is effectively offering two names at once, so it does not know which name
the server will use to handle the ticket. This is kind of a headache. The
ESNI bit in the session disambiguates by preventing the server from
resuming under the SNI name. The semantics are: this session is associated
with the ESNI name, not the SNI name. If you don't know what that means, or
if you can't decrypt the ESNI name, please ignore it.

Without this case (and GREASE---see remark), we could just say servers MUST
NOT resume if they send esni_retry_request.


> Also, randomly generating the ESNI key handle does stick out, as
> normally the ESNI key is releatively static (DNS caching!) across whole
> group of domains and servers.
>

This is true. I don't see a clear way around that one, short of taking the
record_digest parameter out and requiring the server do a public-key
trial-decrypt for each unexpired ESNI key. (Perhaps with key mismatch
tolerance, it's no longer necessary for servers to be quite so paranoid
about keeping all their old keys around, but the trial-decrypt still seems
poor.)

I think this is still worth doing, especially as it's basically free if you
want to support rollbacks. (Making GREASE work and tolerating ESNI-clueless
servers are very strongly related. GREASE requires that servers
more-or-less ignore ESNI on key mismatch.) You also need to either observe
multiple connections or know something about the server to do this.

David

v2.23.0 | Report a Bug | By Email